SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   pcAnywhere Vendors:   Symantec
Symantec pcAnywhere Help Interface Yields SYSTEM Privileges to Users
SecurityTracker Alert ID:  1008178
SecurityTracker URL:  http://securitytracker.com/id/1008178
CVE Reference:   CAN-2003-0936   (Links to External Site)
Date:  Nov 13 2003
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via local system, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 10.x, 11
Description:   A vulnerability was reported in Symantec's pcAnywhere. A local user or a remote authenticated user can obtain SYSTEM privileges.

Secure Network Operations Strategic Reconnaissance Team reported that when pcAnywhere is started as a service (in service-mode, not in application-mode), a user can exploit a flaw in the help interface to gain SYSTEM privileges.

It is reported that a local user (or a remote authenticated user with access to the system tray) can open the help feature to start winhlp32. The user can then use the "File" command and "open" to browser for a '.hlp' file. Instead of selecting a '.hlp' file, the user can reportedly access various files with SYSTEM privileges.

In version 11, the hh.exe help interface can reportedly be exploited in a similar manner by selecting the "view source" option, yielding a Windows notepad session that has SYSTEM privileges.

[Editor's note: Symantec's advisory for this vulnerability will be posted in a separate Alert. The Symantec response says that the vulnerability cannot be exploited remotely, which appears to contradict the Secure Networks Operation advisory. We have asked Symantec for clarification.]
Impact:   A local or remote authenticated user can gain SYSTEM privileges on the target system.
Solution:   The vendor has released a fix, available via Live Update.
Vendor URL:  www.symantec.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Thu, 13 Nov 2003 15:55:11 -0500
Subject:  [VulnWatch] SRT2003-11-13-0218 - PCAnywhere local SYSTEM exploit


--------------000205080900040107090804
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit


--------------000205080900040107090804
Content-Type: text/plain;
 name="_SRT2003-11-13-0218.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="_SRT2003-11-13-0218.txt"

Secure Network Operations, Inc.             http://www.secnetops.com/research
Strategic Reconnaissance Team               research@secnetops.com
Team Lead Contact                           kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

To learn more about our company, products and services or to request a 
demo of ANVIL FCS please visit our site at http://www.secnetops.com, or 
call us at: 978-263-3829


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-11-13-0218
Product                 : Symantec PCAnywhere
Version                 : 10.x and 11.x
Vendor                  : http://www.symantec.com/pcanywhere/
Class                   : Local
Criticality             : High (to PCAnywhere users)
Operating System(s)     : Win32


Notice
************************************************************************
The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section. 


Basic Explanation
************************************************************************
High Level Description  : PCAnywhere allows local users to become SYSTEM
What to do              : run LiveUpdate and apply latest patches. 


Basic Technical Details
************************************************************************
Proof Of Concept Status : SNO has proof of concept. 

Low Level Description   : PCAnywhere is an industry-leading remote control
software that features remote management paired with file transfer capabilities.
PCAnywhere has the ability to help quickly resolve helpdesk and server support 
issues.

When PCAnywhere is started as a service or set to launch with windows an
attacker may be able to take SYSTEM rights via the help interface. AWHOST32.exe 
runs as the user SYSTEM while interacting with the local desktop on the machine 
that PCAnywhere is listening. Users have the ability to interact with AWHOST32
via an icon in the Windows systray. 

Brett Moore of security-assessment.com pointed out a flaw in the Win32 help 
API which can be found at http://www.securityfocus.com/bid/8884 . A variation 
of this attack is present in both PCAnywhere 10 and 11. It is unknown how this
issue affects older versions of PCAnywhere since they are no longer supported
products.

full details at http://www.secnetops.biz/research/SRT2003-11-13-0218.txt

Vendor Status           : Symantec promptly attended to the issue and 
was very responsive during all phases of discovery / research and patching. 
Fixes are now available via LiveUpdate. 

Bugtraq URL             : To be assigned. CVE candidate CAN-2003-0936.
Disclaimer
----------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract.. Contact our sales 
department at sales@secnetops.com for further information on how to 
obtain proof of concept code.

----------------------------------------------------------------------
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."


 

--------------000205080900040107090804--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC